Search criteria
4 vulnerabilities by iagona
CVE-2023-35763 (GCVE-0-2023-35763)
Vulnerability from cvelistv5 – Published: 2023-07-18 17:23 – Updated: 2024-10-21 15:56
VLAI?
Summary
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a cryptographic vulnerability that could allow an unauthenticated user to decrypt encrypted passwords into plaintext.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| iagona | ScrutisWeb |
Affected:
0 , ≤ 2.1.37
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T15:56:17.814185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T15:56:28.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ScrutisWeb",
"vendor": "iagona",
"versions": [
{
"lessThanOrEqual": "2.1.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a cryptographic vulnerability that could allow an unauthenticated user to decrypt encrypted passwords into plaintext."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T17:23:43.966Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"source": {
"discovery": "Neil Graves, Jorian van den Hout, and Malcolm Stagg reported these vulnerabilities to CISA."
},
"title": "Iagona ScrutisWeb Use of Hard-coded Cryptographic Key",
"x_generator": {
"engine": "VINCE 2.1.2",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-35763"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-35763",
"datePublished": "2023-07-18T17:23:43.966Z",
"dateReserved": "2023-07-13T17:28:15.844Z",
"dateUpdated": "2024-10-21T15:56:28.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33871 (GCVE-0-2023-33871)
Vulnerability from cvelistv5 – Published: 2023-07-18 17:21 – Updated: 2024-10-28 15:18
VLAI?
Summary
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| iagona | ScrutisWeb |
Affected:
0 , ≤ 2.1.37
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:13.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T15:18:30.428844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T15:18:50.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ScrutisWeb",
"vendor": "iagona",
"versions": [
{
"lessThanOrEqual": "2.1.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-36 Absolute Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T17:21:16.587Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"source": {
"discovery": "Neil Graves, Jorian van den Hout, and Malcolm Stagg reported these vulnerabilities to CISA."
},
"title": "Iagona ScrutisWeb Absolute Path Traversal",
"x_generator": {
"engine": "VINCE 2.1.2",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-33871"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-33871",
"datePublished": "2023-07-18T17:21:16.587Z",
"dateReserved": "2023-07-13T17:28:15.850Z",
"dateUpdated": "2024-10-28T15:18:50.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38257 (GCVE-0-2023-38257)
Vulnerability from cvelistv5 – Published: 2023-07-18 17:17 – Updated: 2024-10-28 15:29
VLAI?
Summary
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| iagona | ScrutisWeb |
Affected:
0 , ≤ 2.1.37
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:39:12.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T15:28:44.615242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T15:29:08.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ScrutisWeb",
"vendor": "iagona",
"versions": [
{
"lessThanOrEqual": "2.1.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T17:17:29.939Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2023-38257",
"x_generator": {
"engine": "VINCE 2.1.2",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-38257"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-38257",
"datePublished": "2023-07-18T17:17:29.939Z",
"dateReserved": "2023-07-13T17:28:15.854Z",
"dateUpdated": "2024-10-28T15:29:08.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35189 (GCVE-0-2023-35189)
Vulnerability from cvelistv5 – Published: 2023-07-18 17:12 – Updated: 2024-10-28 15:30
VLAI?
Summary
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote
code execution vulnerability that could allow an unauthenticated user to
upload a malicious payload and execute it.
Severity ?
10 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| iagona | ScrutisWeb |
Affected:
0 , ≤ 2.1.37
(custom)
|
Credits
Neil Graves, Jorian van den Hout, and Malcolm Stagg reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:23:59.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T15:29:50.793073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T15:30:01.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ScrutisWeb",
"vendor": "iagona",
"versions": [
{
"lessThanOrEqual": "2.1.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Neil Graves, Jorian van den Hout, and Malcolm Stagg reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nIagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote \ncode execution vulnerability that could allow an unauthenticated user to\n upload a malicious payload and execute it.\n\n\u003c/p\u003e"
}
],
"value": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote \ncode execution vulnerability that could allow an unauthenticated user to\n upload a malicious payload and execute it.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T17:14:57.706Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nIagona has developed and released Iagona ScrutisWeb v2.1.38.\n\n\u003cbr\u003e"
}
],
"value": "Iagona has developed and released Iagona ScrutisWeb v2.1.38.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Iagona ScrutisWeb Unrestricted Upload of File with Dangerous Type",
"x_generator": {
"engine": "VINCE 2.1.2",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-35189"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-35189",
"datePublished": "2023-07-18T17:12:24.681Z",
"dateReserved": "2023-07-13T17:28:15.859Z",
"dateUpdated": "2024-10-28T15:30:01.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}